Ubuntu
webbrowser-app package

webbrowser-app re-execs itself which breaks webapps under application confinement

Bug #1228236 reported by Jamie Strandboge
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor-easyprof-ubuntu (Ubuntu)
Fix Released
Critical
Jamie Strandboge
Saucy
Fix Released
Critical
Jamie Strandboge
upstart-app-launch (Ubuntu)
Won't Fix
Undecided
Unassigned
Saucy
Won't Fix
Undecided
Unassigned
webbrowser-app (Ubuntu)
Invalid
Undecided
Unassigned
Saucy
Invalid
Undecided
Unassigned

Bug Description

When a webapp is launched via the upstart job, webbrowser-app re-execs itself, causing an apparmor denial and failure to launch the browser:

First, install the facebook app from the appstore.

Then, from adb shell:
root@ubuntu-phablet:/# sudo -H -u phablet -i
phablet@ubuntu-phablet:~$ start application APP_ID=com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0

This results in the following denial in /var/log/syslog:
Sep 20 15:58:17 ubuntu-phablet kernel: [ 6505.474410] type=1400 audit(1379692697.211:80): apparmor="DENIED" operation="exec" parent=1479 profile="com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0" name="/usr/bin/webbrowser-app" pid=6248 comm="sh" requested_mask="x" denied_mask="x" fsuid=32011 ouid=0

Adding the following rule to /var/lib/apparmor/profiles/click_com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0:
  /usr/bin/webbrowser-app rmix,

and reloading policy with 'sudo apparmor_parser -r /var/lib/apparmor/profiles/click_com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0' works around the issue.

This is a harmless addition to the ubuntu-webapp template, so I will do that. However I'm concerned that HTML5/PhoneGap apps that use a webview may also suffer from this, so it is worth investigating. That said, we do have an rmix rule for qtchooser in the ubuntu-sdk template, so we might be ok there.

Interestingly, the re-exec only happens when running under upstart-app-launch, not when using aa-exec-click.

See original description
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking bug as Critical because without the workaround rule, webapps will break when Mir is the default.

Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Jamie Strandboge (jdstrand)
description: updated
Jamie Strandboge (jdstrand)
description: updated
Jamie Strandboge (jdstrand)
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I'm going to mark the webbrowser-app Invalid for now, this seems like an upstart issue. We can reopen if needed.

Changed in webbrowser-app (Ubuntu Saucy):
status: New → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.0.33

---------------
apparmor-easyprof-ubuntu (1.0.33) saucy; urgency=low

  * ubuntu-webapp: allow reexec for webbrowser-app to handle webapps launched
    via upstart-app-launch (LP: #1228236)
 -- Jamie Strandboge <email address hidden> Fri, 20 Sep 2013 11:46:35 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: In Progress → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This doesn't seem to cause problems. Closing for now. We can reopen if needed.

Changed in upstart-app-launch (Ubuntu):
status: New → Won't Fix
Changed in upstart-app-launch (Ubuntu Saucy):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.